b'                      U.S. Department of Agriculture\n\n                          Office of Inspector General\n                                     Northeast Region\n\n\n\n\n            Audit Report\n\n    Application Control Review of the\n      Food and Nutrition Service\xe2\x80\x99s\nStore Tracking and Redemption System II\n\n\n\n\n                           Report No. 27501-02-Hy\n                                       March 2008\n\x0c        UNITED STATES DEPARTMENT OF AGRICULTURE\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                       Washington D.C. 20250\n\n\nMarch 31, 2008\n\n\nREPLY TO\nATTN OF:      27501-02-Hy\n\nTO:           Roberto Salazar\n              Administrator\n              Food and Nutrition Service\n\nATTN:         Lael Lubing\n              Director\n              Grants Management Division\n              Food and Nutrition Service\n\nFROM:         Robert W. Young /s/\n              Assistant Inspector General\n               for Audit\n\nSUBJECT:      Application Control Review of the Food and Nutrition Service\xe2\x80\x99s Store Tracking\n              and Redemption System II\n\n\nThis report presents the results of our Application Control Review of the Food and Nutrition\nService\xe2\x80\x99s Store Tracking and Redemption System II.              Your written response, dated\nMarch 6, 2008, is included as Exhibit A with excerpts of your response and the Office of\nInspector General\xe2\x80\x99s (OIG) position incorporated into the Findings and Recommendations section\nof the report, where applicable.\n\nWe have reached management decision for Recommendations 1, 4, 6, 8, and 9. Please follow\nyour agency\xe2\x80\x99s internal procedures in forwarding information on final action to the Office of the\nChief Financial Officer.\n\nIn order to achieve management decision on Recommendations 2, 3, 5, 7, and 10, please furnish\na reply within 60 days describing the information requested in the OIG position section of the\nreport. Please note that Departmental Regulation 1720-1 requires a management decision to be\nreached on all recommendations within a maximum of 6 months from report issuance and\ncompletion of final action within 12 months of management decision.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during\nthis audit.\n\x0cExecutive Summary\nApplication Control Review of Food and Nutrition Service\xe2\x80\x99s Store Tracking and\nRedemption System II (Audit Report No. 27501-02-Hy)\n\nResults in Brief                       The Food and Nutrition Service (FNS) uses the Store Tracking and\n                                       Redemption System II (STARS II) to store information on retailers 1 that\n                                       redeem benefits as part of the Food Stamp Program (FSP). STARS II also\n                                       supports the benefit redemption activity by storing redemption data used for\n                                       evaluating individual store activity. In fiscal year (FY) 2006, STARS II\n                                       tracked $30 billion in food stamp redemptions and the system currently\n                                       manages over 160,000 authorized FSP retailers.\n\n                                       We assessed whether FNS properly documented and accredited the\n                                       STARS II application and instituted the necessary controls to ensure that data\n                                       in the system were valid, complete, and accurately processed. We also\n                                       determined whether STARS II met the security requirements of the Office of\n                                       Management and Budget (OMB) Circular No. A-130, Management of\n                                       Federal Information Resources and other applicable regulations.\n\n                                       STARS II replaced the STARS mainframe system and received final\n                                       certification and accreditation in August 2005. We concluded that FNS\n                                       properly documented and accredited STARS II and established adequate\n                                       application controls to ensure that the system contained valid, complete, and\n                                       accurately processed data. However, we noted several weaknesses that FNS\n                                       should address to further strengthen the security of STARS II. During\n                                       discussions throughout the audit, FNS agreed that these weaknesses need to\n                                       be corrected. FNS needs to: (1) improve security over computer resources,\n                                       (2) implement actions agreed to in a prior recommendation regarding\n                                       processing access requests, and (3) finalize the contingency plan for the\n                                       STARS II primary computer facility, the Benefit Redemption System Branch\n                                       (BRSB).\n\n                                       Departmental Manual (DM) 3510-001, Physical Security Standards for\n                                       Information Technology (IT) Restricted Space, dated August 2004, requires\n                                       the Department of Agriculture (USDA) to protect information resources\n                                       through such means as layered physical security and effective security\n                                       procedures and administration.\n\n                                       \xe2\x80\xa2     FNS did not adequately secure computer resources for STARS II at one\n                                             field office and the two computer facilities we visited. For example, we\n                                             identified weak controls for monitoring physical access to restricted areas\n                                             at the computer backup facility. We also found an unlocked room was\n                                             used to store a server and supporting communication equipment in one\n\n1\n    Retailers include grocery stores, supermarkets, meal services, farmer\xe2\x80\x99s market, etc.\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                   Page i\n\x0c                                           field office. Finally, FNS did not cleanse damaged hard drives of\n                                           sensitive data before returning the drives to the manufacturer. The data on\n                                           the hard drives included personally identifiable information (e.g.,\n                                           individual store owner names, addresses, and dates of birth) that was not\n                                           encrypted. This occurred because FNS had not implemented the\n                                           necessary procedures and controls to identify security weaknesses. As a\n                                           result, Information Technology (IT) data and resources are vulnerable to\n                                           unauthorized access.\n                                      \xe2\x80\xa2    FNS did not implement the agreed upon corrective action associated with\n                                           a recommendation in our September 2001 report on FNS\xe2\x80\x99 Security Over\n                                           IT Resources (Audit Report No. 27099-18-Hy). FNS officials explained\n                                           that other funding priorities since 2000 have prevented the agency from\n                                           implementing an automated process for system access. Most recently,\n                                           homeland security directives have taken priority. As a result, FNS has not\n                                           implemented an automated process for approving system access requests.\n                                           FNS is currently working with contractors to automate access requests.\n\n                                      \xe2\x80\xa2    According to FNS officials, the BRSB did not update its contingency plan\n                                           due to staffing shortages. BRSB, within the FNS\xe2\x80\x99 Information\n                                           Technology Division, manages the STARS II application. As a result,\n                                           FNS\xe2\x80\x99 computer facilities are more susceptible to unknown vulnerabilities,\n                                           damage, or unplanned down time in the event of a disaster or unexpected\n                                           event. Without updates, FNS has limited assurance that operations can be\n                                           recovered in a timely manner.\n                                      The Dallas Field Office did not adhere to established procedures for\n                                      obtaining supervisory approval before authorizing stores in STARS II. This\n                                      procedure provides assurance that STARS II data is accurate. In addition, the\n                                      Dallas Field Office did not follow procedures 2 for reviewing system data for\n                                      significant changes. The Officer-in-Charge (OIC) cited efficiencies in having\n                                      one person enter store data in STARS II and authorize the store\xe2\x80\x99s approval\n                                      before the OIC performs the supervisory review of the information. The OIC\n                                      also stated that reviewing STARS II data for significant changes was\n                                      redundant. This procedure is not redundant because it provides a second party\n                                      review to ensure that only appropriate stores are authorized. As a result, FNS\n                                      has reduced assurance that stores are appropriately authorized and reinstated\n                                      to operate in the FSP.\n\n                                      In February 2007, we identified that FNS had not monitored its vulnerability\n                                      scans since it implemented the FNS Universal Telecommunications Network\n                                      (UTN) 3 in August 2006. DM 3530-001, USDA Vulnerability Scans\n\n2\n    The procedures are detailed in chapters 3 and 6 of the STARS Users Manual.\n3\n    The purpose of the FNS UTN is to incorporate the FNS wide area network into the USDA UTN. UTN is designed to include not only the USDA Office\n    of the Chief Information Officer backbone, but to expand to accommodate unique needs of each agency. UTN supports multiple virtual private\n    networks which allow each agency (including FNS) to keep its traffic completely isolated and set up unique virtual networks over the shared physical\n    structure.\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                                               Page ii\n\x0c                   Procedures, dated July 20, 2005, requires USDA agencies to use scanning\n                   software to scan networks, systems and servers, on a monthly basis for all\n                   existing and new networks, systems, servers, and desktops. Although FNS\n                   received notification that the scanning was performed, a firewall in the UTN\n                   prevented FNS from receiving the results of the scanning. During this time\n                   period there were no reported security incidents. However, STARS II was\n                   vulnerable to illegal and malicious activity or exploitation by internal and\n                   external sources. FNS addressed this weakness at the time we brought it to\n                   their attention. Accordingly, we are making no additional recommendations.\n\nRecommendations\nIn Brief           FNS needs to (a) develop and implement controls to ensure only authorized\n                   individuals have physical access to restricted areas at the STARS II backup\n                   facility, (b) require the field office to mitigate the physical security weakness\n                   identified, and (c) develop and implement controls to ensure sensitive data\n                   are removed from hard drives before returning them to the manufacturer. In\n                   addition, FNS should implement an automated process for processing system\n                   access requests and approval and should update the BRSB contingency plan.\n                   Finally, FNS should instruct the Dallas Field Office to follow established\n                   procedures for authorizing stores in STARS II and reviewing system data for\n                   significant changes and ensure this instruction is followed.\n\nAgency Response\n                   FNS generally agreed with the report\xe2\x80\x99s 10 recommendations. We have\n                   incorporated FNS\xe2\x80\x99 response into the Findings and Recommendations section\n                   of this report, along with OIG position. FNS\xe2\x80\x99 response, dated March 6, 2008,\n                   is included as exhibit A.\n\nOIG Position\n                   Based on FNS\xe2\x80\x99 response, we were able to reach management decisions on\n                   Recommendations 1, 4, 6, 8, and 9. Management decisions on\n                   Recommendations 2, 3, 5, 7, and 10 can be reached once FNS has provided\n                   us with the additional information outlined in the report section, OIG\n                   Position.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                              Page iii\n\x0cAbbreviations Used in This Report\n\nAO                      Authorizing Official\nBRSB                    Benefit Redemption System Branch\nDM                      Departmental Manual\nEBT                     Electronic Benefit Transfer\nFNCS                    Food, Nutrition, and Consumer Services\nFNS                     Food and Nutrition Service\nFSP                     Food Stamp Program\nFY                      Fiscal Year\nHSPD-12                 Homeland Security Presidential Directive 12\nITD                     Information Technology Division\nIT                      Information Technology\nNIST                    National Institute of Standards and Technology\nOCFO                    Office of the Chief Financial Officer\nOIC                     Officer-in-Charge\nOIG                     Office of Inspector General\nOMB                     Office of Management and Budget\nSOP                     Standard Operating Procedures\nSP                      Special Publication\nSTARS II                Store Tracking and Redemption System II\nSWRO                    Southwest Regional Office\nUTN                     Universal Telecommunications Network\nUSDA                    U.S. Department of Agriculture\nWIC                     Special Supplemental Nutrition Program for Women, Infants, and\n                        Children\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                           Page iv\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................................................i\n\nBackground and Objectives ................................................................................................................... 1\n\nFindings and Recommendations............................................................................................................ 3\n\n    Section 1 Security Improvements Needed........................................................................................ 3\n\n        Finding 1\xe2\x80\xa6\xe2\x80\xa6.. ............................................................................................................................... 3\n                           Recommendation 1 .......................................................................................... 6\n                           Recommendation 2 .......................................................................................... 7\n                           Recommendation 3 .......................................................................................... 8\n                           Recommendation 4 .......................................................................................... 8\n                           Recommendation 5 .......................................................................................... 8\n                           Recommendation 6 .......................................................................................... 9\n\n    Section 2 Access Request Process Needs Improvement................................................................ 10\n\n        Finding 2 ....................................................................................................................................... 10\n                                 Recommendation 7 ........................................................................................ 11\n                                 Recommendation 8 ........................................................................................ 11\n\n    Section 3 Contingency Planning Needs Improvement.................................................................. 12\n\n        Finding 3 ....................................................................................................................................... 12\n                                 Recommendation 9 ........................................................................................ 12\n\n    Section 4 Supervisory Review of STARS II Data Needs Improvement ...................................... 14\n\n        Finding 4 ....................................................................................................................................... 14\n                                 Recommendation 10 ...................................................................................... 15\n\nScope and Methodology........................................................................................................................ 17\n\nExhibit A \xe2\x80\x93 Agency Response .............................................................................................................. 19\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                                                   Page v\n\x0cBackground and Objectives\nBackground                             The Food and Nutrition Service (FNS) provides needy families better access\n                                       to food and a more healthful diet. The Food Stamp Program (FSP) is one of\n                                       the primary Federal food assistance programs FNS uses to accomplish its\n                                       mission. FSP recipients receive their program benefits through electronic\n                                       benefits transfer. Once a month, each participating household receives a\n                                       benefit allotment determined by the family size, household income, and other\n                                       related factors. Recipients can use their benefits to pay for food items at\n                                       participating retailers. Recipients use cards much like a debit card. By\n                                       providing a personal identification number, recipients gain access to benefits\n                                       through point of sale terminals located at approved food retailers.\n\n                                       The Store Tracking and Redemption System II (STARS II) stores\n                                       information on the authorization, monitoring, investigation, withdrawal, and\n                                       disqualification of retailer organizations that redeem food stamp benefits.\n                                       STARS II also supports the benefit redemption activity by storing redemption\n                                       data used for evaluating individual store activity. STARS II is located within\n                                       FNS\xe2\x80\x99 Information Technology Division (ITD), Benefit Redemption Systems\n                                       Branch (BRSB).\n\n                                       STARS II replaced the STARS mainframe system and received final\n                                       certification and accreditation in August 2005. STARS II is a web-based\n                                       system, utilizing updated client server technology and provides user friendly\n                                       access. In fiscal year (FY) 2006, STARS II tracked $30 billion in food stamp\n                                       redemption activity. The system currently manages over 160,000 authorized\n                                       FSP retailers. STARS II users include FNS officials responsible for FSP\n                                       administration, Office of Inspector General\xe2\x80\x99s (OIG) Office of Investigations,\n                                       Electronic Benefit Transfer (EBT) processors 4 and State agencies\n                                       administering the FSP and the Special Supplemental Nutrition Program for\n                                       Women, Infants, and Children (WIC).\n\n                                       STARS II interfaces with other applications and systems to provide the\n                                       following types of information.\n\n                                       \xe2\x80\xa2     EBT processors and States depend on STARS II to provide them with\n                                             updated information on currently authorized stores.\n\n                                       \xe2\x80\xa2     FNS users depend on STARS II to update their store list for the\n                                             Anti-fraud Locator using the EBT Retailer Transactions system; to\n\n\n\n4\n    Generally, States award contracts to private sector companies to develop and operate their EBT systems. These companies are usually financial\n    institutions or other organizations that already handle debit and credit card systems or electronic funds transfer activities. However, the States remain\n    financially liable to the Federal Government for actions of their EBT processors.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                                                 Page 1\n\x0c                       manage the retailer side of the FSP at the National, Regional, and field\n                       levels; and to provide data to respond to requests for information.\n\n                   \xe2\x80\xa2   Contractors depend on STARS II to inform them of store visit\n                       information and scheduling.\n\n                   \xe2\x80\xa2   OIG users depend on STARS II for FSP investigatory needs.\n\n                   \xe2\x80\xa2   WIC program administrators rely on STARS II information to keep\n                       current on the status of authorized stores. WIC and FSP have a reciprocal\n                       agreement concerning disqualified stores.\n\nObjectives         Our objectives were to assess whether STARS II has been properly\n                   documented and accredited; determine if application controls assure that data\n                   are valid, complete, and accurately processed; and determine if STARS\n                   II meets the security requirements of Office of Management and Budget\n                   (OMB) Circular No. A-130, Management of Federal Information Resources\n                   and applicable regulations.\n\n                   To accomplish these objectives, we interviewed FNS officials; reviewed\n                   applicable policies, procedures, and records; and visited the STARS\n                   II primary and backup computer facilities and two FNS field offices.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                         Page 2\n\x0cFindings and Recommendations\nSection 1 Security Improvements Needed\n\nFinding 1\xe2\x80\xa6\xe2\x80\xa6..\n                                  FNS did not adequately secure computer resources for STARS II at one field\n                                  office and the two computer facilities we visited. For example, we identified\n                                  weak controls for monitoring physical access to restricted areas at the\n                                  computer backup facility. Also, we found that an unlocked room was used to\n                                  store a server and supporting communication equipment in one field office.\n                                  Finally, FNS did not cleanse damaged hard drives of sensitive data before\n                                  returning the drives to the manufacturer. This occurred because FNS had not\n                                  implemented the necessary procedures and controls to identify security\n                                  weaknesses and ensure sensitive data is safeguarded. As a result, IT resources\n                                  are vulnerable to unauthorized access.\n\n                                  Departmental Manual (DM) 3510-001, Physical Security Standards for IT\n                                  Restricted Space, August 2004, requires the Department of Agriculture\n                                  (USDA) to protect information resources through such means as layered\n                                  physical security and effective security procedures and administration.\n                                  National Institute of Standards and Technology (NIST) Special Publications\n                                  (SP) are a collection of documents used to assess the adequacy of system\n                                  controls, and ensure compliance with established policies and operational\n                                  procedures. 5\n\n                                  We reviewed physical security controls over STARS II at the primary and\n                                  backup facilities and at two field offices. The primary and back-up facilities\n                                  house the STARS II application and its supporting configuration. Field\n                                  offices initiate updates to the status of stores participating in the FSP. We\n                                  identified weaknesses in the controls FNS used to secure facilities where\n                                  STARS II resources are stored and used and to ensure sensitive data are\n                                  safeguarded.\n\n                                  Physical Security\n\n                                  FNS\xe2\x80\x99 controls were not effective to ensure that only authorized individuals\n                                  were permitted physical access to restricted areas at the STARS II computer\n                                  backup facility. The automated access system has been in place for several\n                                  years and FNS acknowledged that the system is cumbersome and requires\n                                  some work to produce the access list, by person and room.\n\n                                  \xe2\x80\xa2 FNS granted access to its restricted computer supply room to a group of\n                                     individuals identified only as \xe2\x80\x9cITD Work Crew.\xe2\x80\x9d This group entered the\n\n5\n    OMB Circular A-130, Management of Federal Information Resources, requires agencies to apply OMB policies and NIST guidance to achieve\n    adequate security.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                               Page 3\n\x0c                       restricted room nine times during a 2 \xe2\x80\x93 day period; however, the specific\n                       individuals who entered could not be identified. FNS created group\n                       access for convenience. FNS agreed that the best solution was eliminating\n                       group access and identifying access individually, by name. NIST\n                       SP 800-53 Revision 1, Recommended Security Controls for Federal\n                       Information Systems (NIST SP 800-53, Revision 1) recommends that the\n                       organization develop and keep a current list of personnel with authorized\n                       access to the facility where the information system resides and issue\n                       appropriate authorization credentials.\n\n                   \xe2\x80\xa2   FNS did not correctly program access control cards allowing\n                       unauthorized individuals to enter restricted areas. For example, a\n                       contractor had access to the backup computer facility without\n                       authorization and a card keyed for OIG staff use during fieldwork\n                       inappropriately granted access to a restricted contractor work area. We\n                       also identified a contractor who left in December 2006 but whose access\n                       rights were not removed until February 2007. FNS was unaware of the\n                       contractor\xe2\x80\x99s departure until after our inquiry because the departure was\n                       not communicated to FNS. FNS acknowledged that access should not\n                       have been granted in these cases and attributed these errors to incorrect\n                       system programming and mistakes in data entry. NIST SP 800-53\n                       Revision 1, recommends that an organization issue appropriate\n                       authorization credentials and encourages the prompt removal of personnel\n                       no longer requiring access, which mirrors guidance provided in\n                       DM 3510-001, Section 3d(2).\n\n                   \xe2\x80\xa2   The automated access control system has no audit trail for cancelled\n                       badges. FNS stated the current system is not designed to retain historical\n                       information, including the start date, expiration date, deletion date, and\n                       changes to access. Upon deletion, all records of that person are deleted.\n                       DM 3510-001, Section 3c(11) explains that access to the computer room\n                       will be electronically controlled and have the capability of providing an\n                       audit trail.\n\n                   \xe2\x80\xa2   FNS uses a manually prepared access list for the STARS II backup\n                       facility and computer supply room because the automated access system\n                       cannot readily generate an access list by door number. Our review of the\n                       current list, dated February 16, 2007, identified errors. For example, five\n                       contractors and the \xe2\x80\x9cITD Work Crew\xe2\x80\x9d were inappropriately omitted from\n                       the list. In addition, the list did not identify which of the facility\xe2\x80\x99s two\n                       rooms the individuals were authorized to access. NIST SP 800-53,\n                       Revision 1, recommends that the organization develop and keep a current\n                       list of personnel with authorized access to the facility.\n\n                   \xe2\x80\xa2   FNS did not maintain records of individuals with access to the\n                       STARS II backup facility. Copies of access authorizations were not\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                           Page 4\n\x0c                                              available for 36 of 54 individuals on the access list for the\n                                              STARS II backup facility. According to FNS, they did not update their\n                                              access authorizations when a new authorization procedure was\n                                              implemented in 2005. This procedure utilized an e-mail request system to\n                                              grant access to restricted areas. NIST SP 800-53, Revision\n                                              1, recommends that the organization develop and keep a current list of\n                                              personnel with authorized access to the facility where the information\n                                              system resides.\n\n                                        \xe2\x80\xa2     FNS did not have documentation to support its quarterly review of the\n                                              access list to the STARS II backup facility and the computer supply\n                                              room. FNS stated that the review was completed through a review of an\n                                              electronic file, but FNS did not annotate the file with evidence of review.\n                                              A quarterly review is required by DM 3510-001, Section 3d(6).\n\n                                        At both the primary and back-up STARS II facility, the visitor\xe2\x80\x99s log did not\n                                        identify the name of the visitor\xe2\x80\x99s escort. Officials at both the primary and\n                                        back-up facilities agreed with our concerns and stated that they would change\n                                        the visitor\xe2\x80\x99s log form to identify the escort. NIST SP 800-53, Revision\n                                        1, requires the organization to maintain visitor access records to the facility\n                                        where the information system resides, including the name and organization of\n                                        person visited.\n\n                                        We identified two significant physical security weaknesses in one field\n                                        office. Although this field office was located in a Federal office building,\n                                        with its own access control measures, the public is granted access to the\n                                        office for periodic EBT training.\n\n                                        \xe2\x80\xa2     Removable door hinges faced an exterior hallway which provided the\n                                              opportunity to access the field office. The public used this door to access\n                                              the office for periodic EBT training. DM 3510-001, Physical Security\n                                              Standards for IT Restricted Space, August 2004, section 3c(16), requires\n                                              that exterior doors have either interior hinges or exterior hinges with\n                                              non-removable pins.\n\n                                        \xe2\x80\xa2     An unlocked room was used to store a server and supporting\n                                              communication equipment for STARS II access. The door to this room\n                                              had a cipher lock that was disabled with tape on both the door latch and\n                                              the strike plate. 6 NIST SP 800-12, An Introduction to Computer Security:\n                                              The NIST Handbook, explains most users need to understand good\n                                              computer security practices such as protecting the physical area and\n                                              equipment, including locking doors.\n\n\n6\n    Subsequent to our visit, the field office installed a combination lock on the door.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                 Page 5\n\x0c                                     Sensitive Data\n\n                                     FNS sent damaged hard drives to the manufacturer without removing\n                                     sensitive data because the agency did not have the necessary equipment to\n                                     cleanse the drives. The data on the hard drives included individual personally\n                                     identifiable information (e.g., store owner names, addresses, and dates of\n                                     birth) that was not encrypted. Once we brought this to FNS\xe2\x80\x99 attention, the\n                                     agency ceased returning the hard drives to the manufacturer. The Privacy Act\n                                     of 1974 7 requires the protection of this type of information. The hard drives\n                                     also included social security numbers; however, these data were encrypted.\n                                     FNS received free replacement hard drives from the manufacturer for\n                                     returning the damaged hard drives.\n\n                                     FNS\xe2\x80\x99 contract with the manufacturer did not require the manufacturer to\n                                     remove data from the hard drives. FNS stated that the manufacturer\n                                     refurbished and re-sold the hard drives. This issue was identified and reported\n                                     in the Departmental Security Review, performed by USDA\xe2\x80\x99s Office of Chief\n                                     Information Officer in April 2007. FNS agreed that a computer forensic\n                                     expert could recover the individual data from the hard drives after the drives\n                                     had left FNS\xe2\x80\x99 control. FNS agreed with this issue and ordered degaussing\n                                     equipment to remove all data from the hard drives. Until the degaussing\n                                     equipment arrives, FNS plans to destroy the damaged hard drives, instead of\n                                     returning them to the manufacturer.\n\n                                     FNS needs to implement the necessary procedures and controls to improve\n                                     the security of computer resources for STARS II at the field office and two\n                                     computer facilities that we visited. These improvements need to address\n                                     weaknesses in controls FNS used to secure facilities where\n                                     STARS II resources are stored and used and to ensure sensitive data are\n                                     safeguarded.\n\nRecommendation 1\n                                     Develop and implement controls to ensure only authorized individuals have\n                                     access to restricted areas. These controls, at a minimum, should: (a) address\n                                     how individuals are authorized access to restricted areas, (b) prohibit\n                                     providing access to groups of individuals, and (c) detail procedures for timely\n                                     revising and deleting authorizations.\n\n                                     Agency Response.\n\n                                     The Food, Nutrition, and Consumer Services (FNCS) Information Systems\n                                     Security Guidelines and Procedures Handbook (FNCS-702) was published\n                                     and distributed to all users on January 31, 2008. Section 700 of the\n7\n    The Privacy Act of 1974 requires that Federal agencies not disclose any record of information about an individual by any means of communication to\n    any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record\n    pertains.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                                           Page 6\n\x0c                   Handbook, Guidance on IT Restricted Space and Physical Access\n                   Control, clearly defines requesting, deleting, and auditing access to restricted\n                   space.\n\n                   An FNS-767, FNS IT Restricted Space Access Control Form, will be\n                   completed by March 14, 2008, and approved for each individual with access\n                   to IT restricted space. Visitors must sign in and be escorted at all times by an\n                   individual who has a completed and approved FNS- 767 on file.\n\n                   As of March 17, 2008, the Property Management Branch will maintain all\n                   user access requests to IT restricted space by generating weekly reports of\n                   user access and performing audits for unauthorized access; remove access for\n                   users who have been inactive for 90 days; remove all access for users who\n                   have been terminated: FNCS employees, contractors and others who are no\n                   longer at FNCS; ensure that all user access requests to IT restricted spaces\n                   meet the appropriate security standards required to receive access; block\n                   access to IT restricted space for those individuals who lack the required\n                   security authorization; and perform user recertification quarterly.\n\n                   OIG Position.\n\n                   We accept FNS\xe2\x80\x99 management decision.\n\nRecommendation 2\n                   Develop and implement a system for generating an accurate list of\n                   individuals who have access to restricted physical areas. This system should\n                   provide an audit trail with historical data on how individual authorizations\n                   were revised or deleted.\n\n                   Agency Response.\n\n                   MDI software, by virtue of design, cannot provide this type of information\n                   automatically. At this time, FNS can generate the OIG requested files\n                   manually, FNS will be implementing Departmental issued Homeland\n                   Security Presidential Directive-12 (HSPD-12) compliant software.\n                   HSPD-12 card readers have been installed in preparation for the new\n                   software.\n\n                   OIG Position.\n\n                   To reach management decision, FNS needs to state whether the new access\n                   system required by HSPD-12 will provide the automated access list and audit\n                   trail lacking in the current MDI system. In addition, FNS needs to provide the\n                   expected timeframes for implementing the HSPD-12 compliant software.\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                           Page 7\n\x0cRecommendation 3\n                   Develop and implement controls to ensure that the quarterly review of the\n                   access list to restricted rooms is documented.\n\n                   Agency Response.\n\n                   The FNCS-702 Handbook was published and distributed to all users on\n                   January 31, 2008. Section 700 of the Handbook, Guidance on IT Restricted\n                   Space and Physical Access Control, clearly defines requesting, deleting,\n                   and auditing access to IT Restricted Space.\n\n                   Please see FNS Response for Recommendation 1.\n\n                   OIG Position.\n\n                   We agree with FNS\xe2\x80\x99 proposed corrective action, however, to reach\n                   management decision, FNS needs to state whether the controls to ensure the\n                   quarterly reviews are documented is included in Section 700 of the\n                   FNCS-702 Handbook.\n\nRecommendation 4\n                   Revise the visitor logs to identify the visitor\xe2\x80\x99s escort.\n\n                   Agency Response.\n\n                   The Visitor Log was modified in August 2007 to include visitor escort in\n                   Minneapolis and Alexandria prior to completion of the OIG audit.\n\n                   OIG Position.\n\n                   We accept FNS\xe2\x80\x99 management decision.\n\nRecommendation 5\n                   Require the field office to mitigate the physical security weaknesses\n                   identified (e.g., properly locking the computer room and ensuring that\n                   exterior door hinges impede access to the office).\n\n                   Agency Response.\n\n                   As of February 27, 2008, the physical security requirements noted in the\n                   recommendation have been implemented in the computer rooms in\n                   Minneapolis and Alexandria that house STARS server components. There are\n                   no STARS server components or computer rooms in any FNS Field Office.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                      Page 8\n\x0c                   OIG Position.\n\n                   While there are no STARS II server components or computer rooms in FNS\n                   field offices, the field offices provide support for managing the benefit\n                   redemption function, and STARS provides automated support for this\n                   function. The field office could be compromised because an unlocked room\n                   was used to store a server and supporting communication equipment for\n                   STARS II access. In addition, removable door hinges faced an exterior\n                   hallway which provided opportunity to access the field office. The public\n                   used this door to access the office.\n\n                   To reach management decision, FNS needs to require the field office to\n                   mitigate the physical security weaknesses identified.\n\nRecommendation 6\n                   Develop and implement controls to ensure that sensitive data are removed\n                   from damaged hard drives before these drives are returned to the\n                   manufacturer.\n\n                   Agency Response.\n\n                   As of January 31, 2008, FNS had implemented procedures to ensure that all\n                   equipment is degaussed before being disposed of. FNCS-702 Handbook,\n                   Section 1542, SDLC Phases and Detailed Security Requirements for each\n                   Phase, Part 5c and 5d, covers degaussing.\n\n                   FNS has procured [                                  ], to ensure that\n                   sensitive data are removed from damaged or excess hard drives. All\n                   equipment is degaussed before being disposed of.\n\n\n                   OIG Position.\n\n                   We accept FNS\xe2\x80\x99 management decision.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                     Page 9\n\x0cSection 2 Access Request Process Needs Improvement\n\nFinding 2\n                                     FNS did not implement the agreed upon corrective action associated with a\n                                     recommendation in our September 2001 report on FNS\xe2\x80\x99 Security Over IT\n                                     Resources (Audit Report No. 27099-18-Hy). FNS officials explained that\n                                     other funding priorities since 2000 have prevented the agency from\n                                     implementing an automated process for system access. Most recently,\n                                     homeland security directives have taken priority. As a result, FNS had not\n                                     implemented an automated process for approving system access requests.\n                                     FNS is currently working with contractors to automate access requests.\n\n                                     In our prior report, we recommended that FNS establish controls to ensure\n                                     the security office maintains and utilizes a master list of current users by\n                                     system. In response, FNS agreed to implement an automated process for\n                                     computer access requests for all FNS systems, to be implemented by\n                                     December 31, 2001. The automated process will be based on the Form\n                                     FNS-674, Computer System Access Request, which is currently still in use.\n\n                                     FNS reported that implementing the automated system has been part of its\n                                     plans since 2000, but due to funding issues, it did not occur. The most recent\n                                     funding priority was the completion of Homeland Security Presidential\n                                     Directive 12 (HSPD-12), Policy for a Common Identification Standard for\n                                     Federal Employees and Contractors. 8 Currently, FNS has funding for the\n                                     automated process and, as of June 2007, FNS was working with contractors\n                                     to test the new system. As of January 2008, the new system had not been\n                                     implemented.\n\n                                     FNS Handbook 702, FNS Information Systems Security Standards and\n                                     Procedures, June 2002, requires the use of Form FNS-674, Computer System\n                                     Access Request, for all system access including STARS II. FNS Handbook\n                                     702 requires supervisory approval for system access; however, the level of\n                                     approval is unclear. FNS developed a procedure to use Regional approval\n                                     officials; however, this was not incorporated into practice. The approval\n                                     evolved into a centralized approval process. Currently, FNS-674s are being\n                                     approved centrally by a single authorizing official (AO) for the over\n                                     700 STARS II users nationwide. However, FNS recognizes that a single\n                                     approving official cannot knowledgeably assess individual needs for system\n                                     access. FNS plans to have 7 Regional AO\xe2\x80\x99s who will approve access requests\n                                     within their regional offices and field offices.\n\n\n\n\n8\n    HSPD-12, effective August 2004, requires a common identification standard for Federal employees and contractors and includes the completion of\n    background investigations for those who require long-term access to federally controlled facilities and/or information systems.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                                      Page 10\n\x0cRecommendation 7\n                   Develop and implement an automated process for system access requests and\n                   approval.\n\n                   Agency Response.\n\n                   The Office of Information Technology is in the process of completing work\n                   on an automated system for access requests and approvals for STARS. The\n                   system will be rolled out to the user community no later than March 3, 2009.\n\n                   OIG Position.\n\n                   We agree with FNS\xe2\x80\x99 proposed corrective action; however, we cannot accept\n                   management decision. FNS originally agreed to implement the new system\n                   by December 31, 2001. In June 2007, FNS officials told us the agency was\n                   working with contractors to test the new system. To reach management\n                   decision, FNS needs to provide specific implementation milestones to rollout\n                   the system to the user community by March 2009.\n\n\nRecommendation 8\n                   Update FNS Handbook 702 to reflect changes in the STARS II approval\n                   process, which implements the use of regional AO\xe2\x80\x99s.\n\n                   Agency Response.\n\n                   Standard Operating Procedures (SOP) are being created for User Access\n                   Request for all FNCS Systems. The SOP for STARS II will address the\n                   approval process implementing the use of Regional Authorizing Officials.\n                   Estimated completion dated June 1, 2008.\n\n                   OIG Position.\n\n                   We accept FNS\xe2\x80\x99 management decision.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                       Page 11\n\x0cSection 3 Contingency Planning Needs Improvement\n\nFinding 3\n                   BRSB did not update the overall contingency plan for the IT center where\n                   STARS II is located. According to FNS officials, this was caused by staffing\n                   shortages. As a result, FNS\xe2\x80\x99 computer facilities are more susceptible to\n                   damage or unplanned down time in the event of a disaster or unexpected\n                   event. Without an updated contingency plan, FNS has limited assurance that\n                   operations can be recovered in a timely manner.\n\n                   NIST SP 800-34, Contingency Planning Guide for IT Systems,\n                   June 2002, requires a set of plans to properly prepare response, recovery, and\n                   continuity activities for disruptions affecting the organization\xe2\x80\x99s IT systems.\n\n                   BRSB provides primary support for the STARS II application. In\n                   April 2007, FNS successfully completed a full recovery test of STARS II and\n                   revised the application portion of the contingency plan. BRSB developed the\n                   STARS II Contingency Plan as a key element of BRSB\xe2\x80\x99s overall contingency\n                   plan, which includes the continuity of operations plan.\n\n                   BRSB\xe2\x80\x99s overall contingency plan included an outdated system description\n                   that references old equipment and platforms, an outdated damage assessment\n                   team that reflects former BRSB personnel, and an outdated sequence of\n                   recovery operations that references an outdated telecommunications network.\n                   FNS explained that it had been short staffed for an extended period and did\n                   not have an opportunity to review and update the plan. At the exit conference\n                   to discuss the results of our review in January 2008, FNS officials explained\n                   that the agency is still in the process of updating the BRSB contingency plan.\n\nRecommendation 9\n                   Finalize the BRSB\xe2\x80\x99s overall contingency plan to update such things as system\n                   descriptions, assessment team members, and the sequence of recovery\n                   operations.\n\n                   Agency Response.\n\n                   The BRSB contingency plan is a living document and updated continually.\n                   The next revision will be completed by May 1, 2008. The plan must conform\n                   to all USDA Office of the Chief Information Officer templates and standards\n                   in order to fulfill existing departmental requirements. These requirements\n                   include: Introduction, Concept of Operations, Notification and Activation\n                   Phase, Recovery Phase, Reconstitution Phase, Testing, Training and\n                   Exercise, and Plan Maintenance. System Descriptions and Assessment Teams\n                   are located in the Concepts of Operations Section. Operations are defined in\n                   the Recovery Phase Section.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                         Page 12\n\x0c                   OIG Position.\n\n                   We accept FNS\xe2\x80\x99 management decision.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                           Page 13\n\x0cSection 4 Supervisory Review of STARS II Data Needs Improvement\n\nFinding 4\n                                       The Dallas Field Office did not adhere to established procedures for\n                                       obtaining supervisory approval before authorizing stores in STARS II. This\n                                       procedure provides assurance that STARS II data is accurate. In addition, the\n                                       Dallas Field Office did not follow procedures for reviewing system data for\n                                       significant changes. The Officer-in-Charge (OIC) cited efficiencies in having\n                                       one person enter store data in STARS II and authorize the store\xe2\x80\x99s approval\n                                       before the OIC performs the supervisory review of the information. The OIC\n                                       also stated that reviewing STARS II data for significant changes was\n                                       redundant. This procedure is not redundant because it provides a second party\n                                       review to ensure that only appropriate stores are authorized. As a result, FNS\n                                       has reduced assurance that stores are appropriately authorized and reinstated\n                                       to operate in the FSP. We identified 7 of 15 newly authorized and reinstated\n                                       stores within the Dallas Field Office without documentation of supervisory\n                                       approval, which places FNS at risk of allowing stores to operate in the FSP\n                                       without approval.\n\n                                       To test the processes used for entering data in STARS II and verifying data\n                                       accuracy, we reviewed supporting records for retailer actions entered into\n                                       STARS II by two FNS field offices. The retailer actions included such things\n                                       as new authorizations, withdrawals, and disqualifications. Supporting records\n                                       include hard copy case files and queries of STARS II. This review was\n                                       conducted to evaluate the timeliness and accuracy of actions entered into\n                                       STARS II.\n\n                                       The OIC of the Dallas Field Office allowed Program Specialists to enter and\n                                       authorize store information in STARS II. However, the STARS II User\n                                       Manual, Chapter 3, requires that stores should be approved by the OIC before\n                                       the stores are authorized in STARS II. 9 The user manual includes an\n                                       Application Workflow Diagram that illustrates that after data entry and\n                                       examination of the related documentation, the final application package\n                                       should be submitted to the OIC for review and approval. For our sample of\n                                       15 newly authorized and reinstated stores in the Dallas Field Office, 10 we\n                                       identified 7 without documentation of supervisory approval. In response to\n                                       our inquiries, the OIC explained that supervisory review and approval\n                                       occurred after the Program Specialists entered and authorized store\n                                       information in STARS II. The OIC explained that she considered this to be a\n                                       more efficient process. The Dallas Field Office is responsible for over\n\n9\n   The procedures allow the OIC to designate a Program Specialist with the authority to approve stores in place of the OIC. The OIC of the Dallas Field\n   Office did not designate someone with this authority.\n10\n   We randomly selected 15 newly authorized and reinstated retailers from a universe of 297 stores and a universe of 1 meal service for the period of\n   October 1, 2006 through April 20, 2007. The sample consisted of 9 newly authorized stores, 1 newly authorized meal service, and 5 reinstated stores.\n   We selected the greater of 5 retailers or 5 percent of each universe. If the universe consisted of fewer than 5 retailers, we selected all the retailers for\n   review.\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                                                                                  Page 14\n\x0c                    5,000 stores currently authorized in STARS II, approximately 3 percent of all\n                    stores authorized in FY 2007.\n\n                    Post approval of new authorizations places FNS at risk of allowing stores to\n                    operate in the FSP without approval. In March 2007, BRSB began printing\n                    and mailing the authorization letters and cards the day after stores were\n                    authorized in STARS II. As a result, authorization letters and cards could be\n                    mailed to stores before they have been approved by the OIC. In addition,\n                    STARS II sends EBT processors daily updates of store actions, including\n                    newly authorized and reinstated stores. The EBT processors use the\n                    information to identify the new stores that need food stamp redemption\n                    equipment. We found that the OIC in the Dallas Field Office reviewed and\n                    approved one new authorization 7 days after the store had been authorized in\n                    STARS II. The OIC could not explain why the review took this long. In\n                    contrast, the OICs in the New York City Field Office reviewed and approved\n                    new stores prior to the stores being authorized in STARS II. The New York\n                    City Field Office is responsible for over 8,000 currently authorized stores, or\n                    approximately 5 percent of all stores authorized in FY 2007.\n\n                    The STARS II User Manual, chapter 6, section 6.5.9, requires each OIC to\n                    run the monthly Supervisory Store/Meal Service Report, for the purpose of\n                    reviewing significant data changes, specifically new store authorizations, as a\n                    second party to ensure that only the appropriate stores are authorized to\n                    accept food stamp program benefits. The OIC for the Dallas Field Office\n                    informed us that this report was not reviewed; adding that it was redundant.\n                    This review is not redundant because the monthly review of the Supervisory\n                    Store/Meal Service Report provides a second party review to ensure that only\n                    appropriate stores are authorized. This control was put in place in response to\n                    a prior OIG audit recommendation.\n\nRecommendation 10\n                    Instruct the Dallas Field Office to follow established controls for authorizing\n                    stores in STARS II and reviewing system data for significant changes and\n                    ensure the controls established in the STARS II User Manual are followed.\n\n                    Agency Response.\n\n                    On February 29, 2008, FNS forwarded a reminder of proper procedures to the\n                    Southwest Regional Office (SWRO) Acting Director of Field Operations.\n                    The agency indicated that it had reviewed the draft audit report and explained\n                    that the purpose of the audit was to assess whether FNS properly documented\n                    and accredited the STARS II application and instituted the necessary controls\n                    to ensure that data in the system were valid, complete, and accurately\n                    processed.\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                           Page 15\n\x0c                   FNS specified that the report included information regarding the lack of\n                   adherence of the Dallas Field Office to established procedures for obtaining\n                   supervisory approval before authorizing stores in STARS II. FNS clarified\n                   that the purpose of its memorandum was to inform the SWRO of this finding\n                   and to request that the Field Office Director remind all of the OIC\xe2\x80\x99s,\n                   particularly the OIC of the Dallas Field Office, that it is imperative that\n                   established controls for authorizing stores in STARS II and reviewing system\n                   data for significant changes be completed. FNS reiterated that Section 6.5.8\n                   of the STARS II User Manual requires that each OIC run the monthly\n                   Supervisory Store/Meal Service Report (253-L) for the purpose of reviewing\n                   significant data changes, specifically new store authorizations, as a second\n                   party to ensure that only the appropriate stores are authorized to accept\n                   program benefits. FNS also reminded them that this control was put in place\n                   in response to a prior OIG audit recommendation. As specified in the STARS\n                   II User Manual, this report is mandated and is required to be run by each OIC\n                   by the 15th of each month.\n\n                   OIG Position.\n\n                   We agree with FNS\xe2\x80\x99 corrective action; however, to reach management\n                   decision, FNS needs to describe how it will ensure controls established in the\n                   STARS II User Manual are followed.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                         Page 16\n\x0cScope and Methodology\n                   Our review was performed to assess whether the STARS II has been properly\n                   documented and accredited; determine if application controls assure that data\n                   are valid, complete, and accurately processed; and determine if STARS II\n                   meets the security requirements of OMB Circular No. A-130, Management of\n                   Federal Information Resources and applicable regulations. Our reviewed\n                   covered STARS II operations in FY 2007; however, system documentation\n                   and related activities from prior years were reviewed as needed.\n\n                   We performed onsite fieldwork at FNS headquarters in Alexandria, Virginia;\n                   the BRSB in Minneapolis, Minnesota; and FNS field offices in New York,\n                   New York, and Dallas, Texas. To accomplish our objectives, we did the\n                   following:\n\n                   \xe2\x80\xa2   Interviewed FNS officials responsible for managing STARS II at the\n                       BRSB in Minneapolis, Minnesota (the primary computer facility) and\n                       FNS headquarters in Alexandria, Virginia (the backup computer facility).\n\n                   \xe2\x80\xa2   Reviewed agency, Departmental, and other federally mandated IT\n                       security polices and procedures.\n\n                   \xe2\x80\xa2   Interviewed FNS officials responsible for entering store authorization\n                       data at field offices in New York, New York and Dallas, Texas.\n\n                   \xe2\x80\xa2   Performed testing of the STARS II to ensure data were valid, complete,\n                       and accurate. This included reviewing documentation to support updates\n                       to store authorizations and daily transmission of this data between\n                       STARS II and EBT retailers. We also validated daily redemption data\n                       sent from EBT retailers to STARS II.\n\n                   \xe2\x80\xa2   Performed testing of STARS II to ensure compliance with security\n                       requirements for such things as physical security, access to systems, and\n                       encryption.\n\n                   In FY 2006, STARS II tracked $30 billion in food stamp redemption activity.\n                   STARS II currently manages over 160,000 authorized FSP retailers. To\n                   accomplish our work, we visited the New York City and Dallas Field Offices.\n                   We selected these offices for review based on the number of authorized\n                   stores they managed for FY 2007. The New York City Field Office managed\n                   over 8,000 currently authorized stores, or approximately 5 percent of all\n                   stores authorized in FY 2007. The Dallas Field Office managed over\n                   5,000 stores, or 3 percent of all stores authorized in FY 2007.\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                        Page 17\n\x0c                   Audit fieldwork was performed from January to August 2007. We conducted\n                   this performance audit in accordance with Government Auditing Standards.\n                   Those standards require that we plan and perform the audit to obtain\n                   sufficient, appropriate evidence to provide a reasonable basis for our findings\n                   and conclusions based on our audit objectives. We believe that the evidence\n                   obtained provides a reasonable basis for our findings and conclusions based\n                   on our audit objectives.\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy                                                          Page 18\n\x0cExhibit A \xe2\x80\x93 Agency Response\n                                 Exhibit A \xe2\x80\x93 Page 1 of 5\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy              Page 19\n\x0c                                 Exhibit A \xe2\x80\x93 Page 2 of 5\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy              Page 20\n\x0c                                 Exhibit A \xe2\x80\x93 Page 3 of 5\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy              Page 21\n\x0c                                 Exhibit A \xe2\x80\x93 Page 4 of 5\n\n\n\n\nUSDA/OIG-AUDIT No. 27501-02-Hy              Page 22\n\x0cExhibit A \xe2\x80\x93 Page 5 of 5\n\x0c'